|
ID-ing Spammers
Spammers often forge the headers of their email in an attempt
to avoid losing their accounts and to evade email filters.
These notes may help you track the source of spam.
The most important thing is to have a mail reader that can
show you the full headers of an email in question. The important
lines are as follows:
From:
Who the message is from. This is the easiest to forge and
thus the least reliable. As distinct from the "From:"
line. This line is not actually part of the email header,
but mail transfer software often inserts it
when the mail is received. Many Unix mailers use this line
to seperate messages in a mail folder. This line will always
be the first line in the headers. This line can also be forged,
but not always.
Reply-To:
The address to which replies should be sent. Often absent
from the message, and very easily forgeable. However, it often
provides a clue. For example, forged spam often has a legitimate
Reply-To: field so that the spammer can receive mail orders.
Return-Path:
The email address for return mail. Same as Reply-To:
Sender:
The account that sent the message. Mail software is supposed
to insert this line if the user modifies the From: line. Most
Mail software is broken in this respect, so this line is rarely
present. Some mailers provide an X-Sender: line.
Message-ID:
A unique string assigned by the mail system when the message
is first created. This is also forgeable in most cases, but
requires a little more specialized knowledge than forging
the From: line. Also, the Message-ID: often identifies the
system from which the sender is logged in, rather than the
actual
system where the message originated.
The format of a Message-ID: field is
<unique string>@<sitename>
Each kind of mail software has its own style of unique string.
Sloppy forgeries often get it wrong, thus a forgery can be
confirmed by comparing the message id with some legitimate
messages from that same site.
Received:
These are the most reliable lines in the header. They form
a list of all sites through which the message traveled in
order to reach you. They are completely unforgeable after
the point where it was injected. Up to that point, they may
be forgeries.
Received: lines are read from bottom to top. That is, the
first
Received: line is your own system or mail server. The last
(non-forged)
Received: line is where the mail originated.
Each mail system has their own style of Received: line. A
Received: line typically identifies the machine that received
the mail and the machine that the mail was received from.
I.e.:
Received: from foo.com by bar.com id AA15057; Fri, 25 Jul
97 09:39:02
The "foo.com" part is the name that the sending
machine used to identify itself. This may be forged in the
case of spam. The id is for logging purposes and may help
system administrators track the spam if you can get them to
cooperate with you.
Many mailers will add extra information. For example:
Received: from foo.com ([129.2.3.4]) by bar.com id AA15057;
Fri, 25 Jul 97 09:39:02
In this case, bar.com has inserted the IP address of the sending
system. If the machine name does not match the IP address,
then you have likely identified the point where the mail was
forged. In other words, the machine whose address is 129.2.3.4
lied when it identified itself as foo.com. Any
Received: lines that follow are likely to be forgeries.
If the IP address does not make sense (for instance, no component
may be greater than 255), then this entire Received: line
is a fake. Contact a system admin for more advice in determining
if an IP address is bogus. If the entire Received: line is
fake, then the injection point is somewhere above in
the headers.
Sometimes you will see
Received: from foo.com (x.y.alterdial.uu.net [129.2.3.4])
by bar.com id AA15057; ...
In this case, the mailer has inserted both the IP address
and the real name of the sending system. This will help you
identify forgeries and eliminate the need to look up the IP
address by hand.
Comment:
Some mailers may add additional information to the headers,
such as "Authenticated sender is doe@foo.com". Forged
Comment: lines can be easily added to outgoing mail, so this
line is
likely to be fake, but not always.
Other mailers may insert their own authentication information
in the headers.
Here is an example of a forgery:
From webpromo@denmark.it.earthlink.net Tue Jul 8 13:05:02
1997
Return-Path: From: webpromo@denmark.it.earthlink.net Received:
from
denmark.it.earthlink.net (denmark-c.it.earthlink.net [204.119.177.22])
by
best.com (SMI-8.6/mail.byaddr) with ESMTP id NAA21506 for
; Tue, 8 Jul 1997
13:05:16 -0700 Received: from mail.earthlink.net
(1Cust98.Max16.Detroit.MI.MS.UU.NET [153.34.218.226]) by
denmark.it.earthlink.net (8.8.5/8.8.5) with SMTP id NAA12436;
Tue, 8 Jul
1997 13:00:46 -0700 (PDT) Received: from adultpromo@earthlink.net
by
adultpromo@earthlink.net (8.8.5/8.6.5) with SMTP id GAA05239
for ; Tue, 08
Jul 1997 15:48:51 -0600 (EST) To: adultpromo@earthlink.net
Message-ID:
<199702170025.GAA08056@no-where.net> Date: Tue, 08 Jul
97 15:48:51 EST
Subject: Hot News ! Reply-To: adultpromo@earthlink.net X-PMFLAGS:
12345678 9 X-UIDL: 1234567890x00xyz1x128xyz426x9x9x Comments:
Authenticated sender is Content-Length: 672 X-Lines: 26 Status:
RO
Obviously, the To: line is a forgery; the actual recipients
list was
hidden, probably with a blind carbon-copy (Bcc: header)
The "From", "Return-Path:" and "From:"
all identify the same email
address, but that may be a forgery. You can try mailing to
the given
address and see if your complaint bounces.
The "To:", "Reply-To:" and "Authenticated
sender" lines all identify
a different account. Again, these may all be forgeries.
The Message-ID: line is an obvious fake.
The first Recieved: line shows the mail arriving at my service
provider from Earthlink. I trust my service provider, so this
line
is almost certainly valid.
The second Received: line shows this inconsistency:
... from mail.earthlink.net (1Cust98.Max16.Detroit.MI.MS.UU.NET
[153.34.218.226])
In other words, the machine that delivered the mail to
denmark.it.earthlink.net identified itself as mail.earthlink.net
but
was actually named 1Cust98.Max16.Detroit.MI.MS.UU.NET. This
is
very likely a lie. However, Earthlink rents POPs from Uunet,
so this
might be an Earthlink customer dialing in from Uunet.
The third Received: line is completely bogus. If the mail
came from
a dial-in customer at Uunet, there wouldn't be any more Recieved:
lines.
If the mail was being relayed from Uunet, this Received: line
would
indicate Uunet, not Earthlink. Further, this Received: line
contains email addresses, not machine names.
Clearly, this email was forged to make it look like it came
from
Earthlink but was actually injected from Uunet. Whether this
was
by an Earthlink customer or some other Uunet customer is impossible
to tell without cooperation from Earthlink sysadmins.
Here is another forgery:
Received: from cola.bekkoame.or.jp (cola.bekkoame.or.jp [202.231.192.40])
by srv.net (8.8.5/8.8.5) with ESMTP id BAA00705 for ; Wed,
30 Jul 1997
01:15:27 -0600 (MDT) From: beautifulgirls585@aol.com Received:
from
cola.bekkoame.or.jp (ip21.san-luis-obispo.ca.pub-ip.psi.net
[38.12.123.21])
by cola.bekkoame.or.jp (8.8.5+2.7W/3.5W) with SMTP id OAA11439;
Wed, 30 Jul
1997 14:35:50 +0900 (JST) Received: from
mailhost.aol.com(alt1.aol.com(244.218.07.32)) by aol.com (8.8.5/8.6.5)
with
SMTP id GAA00075 for <"">; Tue, 29 Jul 1997
22:19:42 -0600 (EST) Date:
Tue, 29 Jul 97 22:19:42 EST Subject: You can have what you
want...
Message-ID: <574857638458.HWF39862@aol.com> Reply-To:
beautifulgirls585@aol.com X-PMFLAGS: 56354433 0 Comments:
Authenticated
sender is X-UIDL: vjg79u26gfkjjrty38jf983j309jfyrw
Here, the second Received: line indicates that "cola.bekkoame.or.jp"
received the mail from a machine which identified itself as
"cola.bekkoame.or.jp", but was in fact
"ip21.san-luis-obispo.ca.pub-ip.psi.net".
This mail was probably forged from a Psi.net dial-in account.
As a final proof, the IP address mentioned in the third Received:
line
cannot be matched via whois or traceroute.
It certainly doesn't match AOL, indicating that this line
is bogus.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
|
